That LastPass or Bitwarden Security Email May Be a Scam

July 2026 · 4 minute read

Emily Long

Emily Long

Freelance Writer

Experience

Emily Long is a freelance writer based in Salt Lake City.

After graduating from Duke University, she spent several years reporting on the federal workforce for Government Executive, a publication of Atlantic Media Company, in Washington, D.C. She has nearly a decade of experience as a freelancer covering tech (including issues related to security, privacy, and streaming) as well as personal finance and travel.

In addition to Lifehacker, her work has been featured on Wirecutter, Tom’s Guide, and ZDNET. Emily has also worked as a travel guide around the U.S. and as a content editor. She has a masters in social work and is a licensed therapist in Utah.

Areas of Expertise

Read Full Bio

July 17, 2026

Add as a preferred source on Google Add as a preferred source on Google

Phone with a warning symbol over the top and floating paper money

Credit: Zooey Liao/Lifehacker/Getty Images

Table of Contents


You trust your password manager to keep your credentials, documents, and identity data secure—and you probably also trust notices that come from your password manager with steps to maintain that security. Scammers are counting on this: A new phishing campaign is targeting LastPass and Bitwarden users with fake security alerts designed to compromise their data and devices.

Earlier this week, LastPass alerted users to an impersonation scam in which threat actors are sending phishing emails that look like official security notices. The messages come from hello[at]lastpassnewsletter[.]com with the subject line "Action Required: Review Updated LastPass Security Policies."

In the email body, attackers outlined supposed changes to LastPass security monitoring and reporting protocols and noted that users "have 14 business days to review and accept the updated terms" via DocuSign. The link redirected to https[:]//lastpasscompliance[.]com/, which looked like a legitimate DocuSign page complete with a chatbot window, and prompted users to "download" DocuSign in order to review and sign the document. It's unclear whether the goal was to spread malware or harvest user credentials, as the malicious website has since been taken down. However, Bitwarden users have been targeted with a nearly identical campaign, according to BleepingComputer.

How to spot the password manager scam

On the surface, the phishing emails targeting LastPass and Bitwarden users are pretty convincing. They have some technical jargon, so users may skim over the specifics and trust that the information is legitimate. There's a call to action, but the email states that users have 14 days to accept the terms or their account "may be temporarily restricted"—so the urgency is slightly lower than with some other scams. The email even reassures users that their vaults and accounts are "completely secure" and states that the required steps are "strictly" administrative in nature.

What do you think so far?

That said, both the sender and the URL should raise suspicion. Neither lastpassnewsletter[.]com nor lastpasscompliance[.]com are official LastPass domains, nor is bitwardencompliance[.]com a real Bitwarden site. Never enter your master password or other credentials unless you navigate directly to your password manager's website or vault—links from emails, texts, or social media messages are at risk of being phishing attempts. If you've supplied your credentials to a suspicious site, update them immediately from a trusted device. You also shouldn't need to download software or use DocuSign for your password manager, and any actions on your account should occur when you are logged in to the legitimate site or vault.

Lifehacker has been a go-to source of tech help and life advice since 2005. Our mission is to offer reliable tech help and credible, practical, science-based life advice to help you live better.

© 2001-2026 Ziff Davis, LLC., A ZIFF DAVIS COMPANY. ALL RIGHTS RESERVED.

Lifehacker is a federally registered trademark of Ziff Davis and may not be used by third parties without explicit permission. The display of third-party trademarks and trade names on this site does not necessarily indicate any affiliation or the endorsement of Lifehacker. If you click an affiliate link and buy a product or service, we may be paid a fee by that merchant.